SlawTips offered tips this week on setting up virtual meetings that focused mainly on how great it is to use Skype, seeing as how it’s free as well as functional.

Question: is it secure enough for lawyers? I know that the Ontario government does not allow me (or others) to download the software (or any other software….) to make it work. But I have heard as well from private sector lawyers that their IT departments don’t think Skype is secure enough to use professionally.

Is that your view, or experience?

What is the issue:

that Skype wants to set itself up by default to run as a server (a default that one can change)?

That people will be able to tap into conversations as they happen?

That conversations leave a record that may be accessible to unauthorized people later? (the video conference or text messages one might send during the meeting, or both?)

Other?

Do you use Skype in your practice, and if not, why not? And if so, is it on a balance of convenience basis or because you do not believe there are security issues at all?

Comments

I only have a few clients who mandate secure discussions (I’m a nerd), but for every one of these we mutually require “end to end” security. If it doesn’t have all of:
– access controls (who can join the call)
– trusted path (I’m using the program I think I am)
– audit (of the program and the call set-up)
– testing & assurance (of the program) and
– covert channels analysis (my data doesn’t leak out to others)
then it isn’t good enough. The above is the U.S. government’s “Orange Book” requirements for a secure service.

Skype formerly met the first requirement, but as far as I can tell, none of the others. These days I’m unsure it meets any.